When you specify an encryption cert in web.config, does WIF require that all incoming tokens are encrypted with this cert or does it just specify that if a token comes in encrypted, this is the cert used to decrypt (optional vs mandatory encryption).
<system.identityModel.services>
<federationConfiguration>
<serviceCertificate>
<certificateReference findValue="DC=ACME, DC=com, OU=ACME Development, CN=ACME Token Encryption Cert (FOR TEST ONLY)" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"
/>
</serviceCertificate>